CN113572726B - Multimode network control-data plane consistency verification method and device - Google Patents
Multimode network control-data plane consistency verification method and device Download PDFInfo
- Publication number
- CN113572726B CN113572726B CN202110634085.9A CN202110634085A CN113572726B CN 113572726 B CN113572726 B CN 113572726B CN 202110634085 A CN202110634085 A CN 202110634085A CN 113572726 B CN113572726 B CN 113572726B
- Authority
- CN
- China
- Prior art keywords
- component
- data plane
- plane
- network
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention provides a multi-mode network control-data plane consistency check method and device. The method comprises the steps of loading a consistency check component in a multi-mode network control plane, and loading a probe generation component and a log sampling component in a multi-mode network data plane; the probe generating component injects detection flow into the network, so that the detection flow is forwarded through the data plane; the log sampling component samples, analyzes and sorts the detected flow which is forwarded and output through the data plane, and sends the sorting result to the consistency verification component; the consistency verification component compares the analysis result of the network configuration information in the control plane with the arrangement result generated by the log sampling component to complete the verification work; and the network configuration information analysis result and the arrangement result generated by the log sampling component adopt the same file format. The invention can complete the consistency check of the control plane and the data plane and provide safety support for the multi-mode network to bear various services.
Description
Technical Field
The present invention relates to the field of novel network architecture, and in particular, to a method and apparatus for checking the consistency of a multi-mode network control-data plane.
Background
The multi-mode intelligent network supports full-dimension definition and multi-mode presentation of addressing route, switching mode, interconnection mode, network element form, transmission protocol and the like, and a data layer adopts a flexible and definable mode to provide data plane support for each mode service. The definable data plane solves the long-standing challenges of protocol support solidification, single network function and the like in the network architecture due to the programmability and the flexibility of message processing, provides a new solution for designing the novel data plane function, and is widely deployed in the novel network architecture. However, definable data planes present various security risks themselves while facilitating efficient deployment of new network architectures.
In recent years, the problem of consistency check between a control plane and a data plane has attracted attention in the industry, and how to ensure that the processing process of the data plane on the flow meets the flow rule requirement of control plane configuration under the designed novel network structure, thereby becoming a research hot tide in the field of novel network structures. However, the related research focuses on consistency check for programmable programs, and this approach avoids various security holes that may actually occur when a data plane processes a data stream, where the security holes cause inconsistency of stream rules, and is too coarse-grained compared to runtime consistency check. In fact, these static verification methods (usually based on assertion checking at program compiling) do not have any packet input, and only judge according to the logic of the program, so that errors are easily misreported. Different inputs at runtime may trigger unknown or abnormal behavior such as processing of invalid data packet headers.
Disclosure of Invention
Aiming at the problem of potential safety hazard of consistency possibly occurring when a control plane and a data plane are operated, the invention provides a multi-mode network control-data plane consistency check method and device, and a consistency check component is introduced into the multi-mode network control plane and is used for analyzing and comparing a flow rule configured by a controller with a data plane detection result; and injecting an active probe into the multi-mode data plane to detect and record the current flow strategy executed by the data plane, and comparing the current flow strategy with the configuration information of the control plane to complete consistency verification, thereby providing a safety support for bearing various services by the multi-mode network.
In one aspect, the present invention provides a method for checking consistency of a multi-modal network control-data plane, loading a consistency checking component in the multi-modal network control plane, loading a probe generating component and a log sampling component in the multi-modal network data plane, the method comprising:
step 1: the probe generating component injects detection flow into the network, so that the detection flow is forwarded through the data plane;
step 2: the log sampling component samples, analyzes and sorts the detected flow which is forwarded and output through the data plane, and sends the sorting result to the consistency verification component;
step 3: the consistency verification component compares the analysis result of the network configuration information in the control plane with the arrangement result generated by the log sampling component to complete the verification work; and the network configuration information analysis result and the arrangement result generated by the log sampling component adopt the same file format.
Further, the step 1 specifically includes:
the probe generating component acquires a data packet format from the data plane, and then generates a group of short frame probes conforming to the data packet format as detection flow; wherein the data packet format is issued to the data plane by a modality controller of the control plane.
Further, in step 2, before sending the sorting result to the consistency verification component, the method further includes:
and the log sampling component integrates the arrangement results of all the sampled short frame probes by adopting a statistical method to form a log file for indicating the execution condition and the state information of the data plane flow rule, and the log file is used as a final arrangement result.
Further, the finishing process in step 2 includes:
the log sampling component sorts the change information of the key field value corresponding to the key stream rule and the record information of the operation of the data plane on the key field corresponding to the key stream rule to form a sorting result.
Further, the step 3 specifically includes:
the consistency verification component adopts a simulation algorithm to simulate and execute the processing procedure of key fields in the flow rule generated by compiling the user program so as to generate a data packet processing result expected by the user program, and the data packet processing result is used as a network configuration information analysis result in a control plane.
On the other hand, the invention provides a multimode network control-data plane consistency check device, which comprises a probe generating component, a log sampling component and a consistency check component; the probe generation component and the log sampling component are arranged in a multi-mode network data plane, and the consistency verification component is arranged in a multi-mode network control plane;
the probe generating component is used for injecting detection flow into the network, so that the detection flow is forwarded through the data plane;
the log sampling component is used for sampling, analyzing and sorting the detection flow which is forwarded and output through the data plane, and sending the sorting result to the consistency verification component;
the consistency verification component is used for comparing the analysis result of the network configuration information in the control plane with the arrangement result generated by the log sampling component so as to complete the verification work; and the network configuration information analysis result and the arrangement result generated by the log sampling component adopt the same file format.
The invention has the beneficial effects that:
based on the idea of decoupling the control plane and the data plane in the network, each component for realizing consistency verification is respectively deployed on the control plane and the data plane, and the isolation ensures the independence of verification information, namely the processing result obtained by the active detection of the data plane is independently generated from the expected processing result of the network control plane, so that the possible cross influence is avoided.
The invention introduces an active detection mechanism in the multi-mode network data plane, after the mode controller issues a flow rule, the data plane equipment node actively generates a group of short frame data packets with corresponding format, and then gives the short frame data packets to the subsequent flow line for processing, so as to complete a series of logic function operations, and the processing result is sent to a consistency check component of the control plane for analysis by a log sampling component and feedback.
The invention can realize the consistency check of the multi-mode network control-data plane, effectively improve the stability and the safety of the multi-mode network data plane, facilitate the network manager to discover the node fault of the data plane equipment in time and ensure the effective support of the multi-mode network base platform to each service of the upper layer.
Drawings
FIG. 1 is a block diagram of a multimode network control-data plane consistency check device according to an embodiment of the present invention;
FIG. 2 is an explanatory diagram of a definable data plane probe log generation scheme according to an embodiment of the present invention;
fig. 3 is a flowchart of a multi-mode network control-data plane consistency check method according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1 to 3, an embodiment of the present invention provides a method for checking consistency of a multi-mode network control-data plane, in which a consistency checking component is loaded in the multi-mode network control plane, and a probe generating component and a log sampling component are loaded in the multi-mode network data plane, the method includes:
s101: the probe generating component injects detection flow into the network, so that the detection flow is forwarded through the data plane;
s102: the log sampling component samples, analyzes and sorts the detected flow which is forwarded and output through the data plane, and sends the sorting result to the consistency verification component;
s103: the consistency verification component compares the analysis result of the network configuration information in the control plane with the arrangement result generated by the log sampling component to complete the verification work; and the network configuration information analysis result and the arrangement result generated by the log sampling component adopt the same file format.
According to the consistency verification method provided by the embodiment of the invention, from a macroscopic view, the overall design of the method is based on the idea of decoupling a control plane and a data plane in a network (as shown in figure 1), each component for realizing consistency verification is respectively deployed on the control plane and the data plane, and the isolation ensures the independence of verification information, namely, the processing result obtained by the active detection of the data plane is independently generated from the expected processing result of the network control plane, so that the possible cross influence is avoided. The core component of the invention is a consistency check component of a control plane, and the input of the component consists of two parts: 1) Network configuration information analysis results in the control plane; 2) And detecting and sampling results uploaded by the data plane. The two parts of input adopt the same file structure (such as JSON format), so that a simple and efficient verification algorithm can be adopted, the verification operation is simplified, and the influence of time delay generated by verification on the accuracy and instantaneity of a verification result is reduced.
On the basis of the above embodiment, the embodiment of the present invention provides a method for checking the consistency of a multi-mode network control-data plane, which includes the following steps:
s201: the probe generating component acquires a data packet format from the data plane, then generates a group of short frame probes conforming to the data packet format as probe traffic, and enables the probe traffic to be forwarded through the data plane, namely, to be processed through a packet processing pipeline in the data plane; wherein the data packet format is issued to the data plane by a modality controller of the control plane.
Specifically, the upper layer user program defines a data packet format and processing logic, and the data packet format and the processing logic are compiled and then issued to a data plane through a mode controller. The probe generation component obtains the data packet format from the data plane, typically containing protocol type, source node information.
To reduce the probe disturbance to the data plane device node performance, the data packet size of each short frame probe generated can be strictly controlled. For example, for IPV4 modality traffic, each short frame probe may contain only five tuple information and a payload field for recording.
It should be noted that, to improve the reliability and integrity of the verification information, the probe generating component should send as many probes as possible without affecting the performance of the data plane device. After a group of short frame probes with a specified format are sent out by the probe generating component, the packet processing pipeline sequentially processes the short frame probes according to the internal logic function of the short frame probes, the generated short frame probes match the flow rule and execute corresponding actions, finally reach the output port, and the log sampling component analyzes the processed data packet to extract record information for verification.
S202: the log sampling assembly samples, analyzes and sorts the detection flow (namely a group of short frame probes generated in the last step) which is forwarded and output through the data plane, the log sampling assembly integrates the sorting results of all the sampled short frame probes by adopting a statistical method to form a log file for indicating the rule execution condition and the state information of the data plane flow, and the log file is used as a final sorting result to send the sorting result to the consistency verification assembly;
specifically, after the short frame probe sent by the probe generating component is matched and acted by the packet processing pipeline, the log sampling component is responsible for analyzing the processed probe to generate a log file, and the log file and the recorded access port information are combined and uploaded to the consistency checking component of the control plane.
Specifically, the check on the consistency of the control plane and the data plane is mainly aimed at the check on the execution condition of the key stream rule in the user program, so as to form an implementation manner, for each sampled short frame probe, the log sampling component sorts the change information of the key field value corresponding to the key stream rule and the record information of the operation of the data plane on the key field corresponding to the key stream rule, thereby forming a sorting result about the short frame probe; then, according to the mode, the finishing results of all short frame probes are obtained; and integrating the arrangement results of all the short frame probes to obtain a log file, and uploading the log file serving as a final arrangement result to the consistency verification component.
It should be noted that, in order not to affect normal service communication of the control plane and the data plane, the log sampling component uploads the sampled log file to the consistency check component through a dedicated communication tunnel so as to perform subsequent check work.
S203: the consistency verification component adopts a simulation algorithm to simulate and execute the processing process of key fields in the flow rule generated by compiling the user program so as to generate a data packet processing result expected by the user program, and the data packet processing result is used as a network configuration information analysis result in a control plane; and comparing the analysis result of the network configuration information in the control plane with the arrangement result generated by the log sampling component to finish the verification work.
Specifically, the functional function used for comparison is mainly a Boolean function for checking two parts of input, and whether the node of the data plane equipment fails or not is judged; if the comparison results are consistent, the data plane equipment nodes are indicated to have no faults, otherwise, the data plane equipment nodes have faults.
The embodiment of the invention introduces an active probing mechanism in the multi-modal network data plane, as shown in fig. 2. After the mode controller issues the flow rule, the data plane device node actively generates a group of short frame data packets with corresponding formats, and then gives the short frame data packets to the subsequent flow line for processing, so as to complete a series of logic function operations, and the processing result is submitted to the consistency check component of the control plane for analysis by the log sampling component and feedback.
The embodiment of the invention also provides a device for checking the consistency of the multi-mode network control-data plane, which is shown in fig. 1 and 2 and comprises the following steps: the system comprises a probe generation component, a log sampling component and a consistency verification component; the probe generation component and the log sampling component are arranged in a multi-mode network data plane, and the consistency verification component is arranged in a multi-mode network control plane;
the probe generating component is used for injecting detection flow into the network, so that the detection flow is forwarded through the data plane;
the log sampling component is used for sampling, analyzing and sorting the detection flow which is forwarded and output through the data plane, and sending the sorting result to the consistency verification component;
the consistency verification component is used for comparing the analysis result of the network configuration information in the control plane with the arrangement result generated by the log sampling component so as to complete the verification work; and the network configuration information analysis result and the arrangement result generated by the log sampling component adopt the same file format.
It should be noted that, the device for checking the consistency of the multi-mode network control-data plane provided by the embodiment of the present invention is for implementing the above method embodiments, and the function thereof may specifically refer to the above method embodiments and will not be described herein.
The invention can realize the consistency check of the multi-mode network control-data plane, effectively improve the stability and the safety of the multi-mode network data plane, facilitate the network manager to discover the node fault of the data plane equipment in time and ensure the effective support of the multi-mode network base platform to each service of the upper layer.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (4)
1. A method for multi-modal network control-data plane consistency check, wherein a consistency check component is loaded in a multi-modal network control plane, and a probe generation component and a log sampling component are loaded in a multi-modal network data plane, the method comprising:
step 1: the probe generating component injects detection flow into the network, so that the detection flow is forwarded through the data plane;
step 2: the log sampling component samples, analyzes and sorts the detected flow which is forwarded and output through the data plane, and sends the sorting result to the consistency verification component; the finishing process in step 2 comprises: the log sampling component sorts the change information of the key field value corresponding to the key stream rule and the record information of the operation of the data plane on the key field corresponding to the key stream rule to form a sorting result;
step 3: the consistency verification component simulates and executes a processing process of key fields in a stream rule generated by compiling a user program by adopting a simulation algorithm so as to generate a data packet processing result expected by the user program, takes the data packet processing result as a network configuration information analysis result in a control plane, and compares the network configuration information analysis result in the control plane with a sorting result generated by the log sampling component to finish the verification work; and the network configuration information analysis result and the arrangement result generated by the log sampling component adopt the same file format.
2. The method of claim 1, wherein step 1 specifically comprises:
the probe generating component acquires a data packet format from the data plane, and then generates a group of short frame probes conforming to the data packet format as detection flow; wherein the data packet format is issued to the data plane by a modality controller of the control plane.
3. The consistency check method according to claim 2, wherein before sending the sorting result to the consistency check component in step 2, the method further comprises:
and the log sampling component integrates the arrangement results of all the sampled short frame probes by adopting a statistical method to form a log file for indicating the execution condition and the state information of the data plane flow rule, and the log file is used as a final arrangement result.
4. The multi-mode network control-data plane consistency verification device is characterized by comprising a probe generation component, a log sampling component and a consistency verification component; the probe generation component and the log sampling component are arranged in a multi-mode network data plane, and the consistency verification component is arranged in a multi-mode network control plane;
the probe generating component is used for injecting detection flow into the network, so that the detection flow is forwarded through the data plane;
the log sampling component is used for sampling, analyzing and sorting the detection flow which is forwarded and output through the data plane, and sending the sorting result to the consistency verification component; the finishing process comprises the following steps: the log sampling component sorts the change information of the key field value corresponding to the key stream rule and the record information of the operation of the data plane on the key field corresponding to the key stream rule to form a sorting result;
the consistency verification component is used for simulating and executing the processing process of key fields in the stream rule generated by compiling the user program by adopting a simulation algorithm so as to generate a data packet processing result expected by the user program, taking the data packet processing result as a network configuration information analysis result in a control plane, and comparing the network configuration information analysis result in the control plane with a sorting result generated by the log sampling component so as to finish the verification work; and the network configuration information analysis result and the arrangement result generated by the log sampling component adopt the same file format.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110634085.9A CN113572726B (en) | 2021-06-07 | 2021-06-07 | Multimode network control-data plane consistency verification method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110634085.9A CN113572726B (en) | 2021-06-07 | 2021-06-07 | Multimode network control-data plane consistency verification method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113572726A CN113572726A (en) | 2021-10-29 |
| CN113572726B true CN113572726B (en) | 2023-04-28 |
Family
ID=78161837
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110634085.9A Active CN113572726B (en) | 2021-06-07 | 2021-06-07 | Multimode network control-data plane consistency verification method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113572726B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113961571B (en) * | 2021-12-22 | 2022-03-22 | 太极计算机股份有限公司 | Multi-mode data sensing method and device based on data probe |
| CN114500284A (en) * | 2022-04-19 | 2022-05-13 | 之江实验室 | Semi-physical semi-virtual network simulation platform and method for multi-mode intelligent network |
| CN114884899A (en) * | 2022-07-12 | 2022-08-09 | 之江实验室 | Multi-mode core network forwarding and scheduling method and device |
| CN116074208B (en) * | 2023-03-24 | 2023-07-07 | 之江实验室 | Modal deployment method and modal deployment system of multi-modal network |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101304340A (en) * | 2007-05-09 | 2008-11-12 | 华为技术有限公司 | Method and apparatus for monitoring resource condition as well as communication network |
| CN108416219A (en) * | 2018-03-18 | 2018-08-17 | 西安电子科技大学 | A kind of Android binary files leak detection method and system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7463591B1 (en) * | 2001-06-25 | 2008-12-09 | Juniper Networks, Inc. | Detecting data plane liveliness of a label-switched path |
| CN104168144A (en) * | 2014-08-22 | 2014-11-26 | 国都兴业信息审计系统技术(北京)有限公司 | Method for auditing SDN |
| CN105407010B (en) * | 2015-12-31 | 2019-03-08 | 重庆邮电大学 | The flow generating device of software definition routing is realized based on SDN technology |
| CN110225008B (en) * | 2019-05-27 | 2020-07-31 | 四川大学 | SDN network state consistency verification method in cloud environment |
| CN110392318B (en) * | 2019-07-29 | 2021-10-19 | 烽火通信科技股份有限公司 | Method and system for checking control plane layer LSP (Label switched Path) in ASON (automatic switched optical network) |
| CN110912766B (en) * | 2019-10-18 | 2021-04-20 | 国家计算机网络与信息安全管理中心 | Communication network multi-plane data consistency checking method |
-
2021
- 2021-06-07 CN CN202110634085.9A patent/CN113572726B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101304340A (en) * | 2007-05-09 | 2008-11-12 | 华为技术有限公司 | Method and apparatus for monitoring resource condition as well as communication network |
| CN108416219A (en) * | 2018-03-18 | 2018-08-17 | 西安电子科技大学 | A kind of Android binary files leak detection method and system |
Non-Patent Citations (1)
| Title |
|---|
| 罗军舟等.网络空间安全体系与关键技术.《中国科学:信息科学》.2016,(第08期),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113572726A (en) | 2021-10-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113572726B (en) | Multimode network control-data plane consistency verification method and device | |
| US8006136B2 (en) | Automatic grammar based fault detection and isolation | |
| KR101908467B1 (en) | Method and apparatus for visualized network operation and maintenance | |
| CN110262972B (en) | Failure testing tool and method for micro-service application | |
| WO2010018415A1 (en) | A method and system for testing complex machine control software | |
| CN106294102A (en) | The method of testing of application program, client, server and system | |
| CN110232012A (en) | A kind of fuzz testing language protocol test script and testing engine based on xml | |
| CN111176991A (en) | Automatic generation method for embedded software interface use case | |
| Yao et al. | Formal modeling and systematic black-box testing of sdn data plane | |
| CN111884876A (en) | Method, device, equipment and medium for detecting protocol type of network protocol | |
| CN107113199B (en) | Analysis device for analyzing and processing communication sequences | |
| JP2009294837A (en) | Failure monitoring system and device, monitoring apparatus, and failure monitoring method | |
| Inçki et al. | Runtime verification of IoT systems using complex event processing | |
| CN115757483A (en) | Automatic testing method and device, electronic equipment and storage medium | |
| Bhurke et al. | Methods of Formal Analysis for ICS Protocols and HART-IP CPN modelling | |
| CN102298112B (en) | The method of testing of a kind of PLD and system | |
| CN111625448A (en) | Protocol packet generation method, device, equipment and storage medium | |
| CN115562931A (en) | Processor debugging module verification method and device, electronic equipment and storage medium | |
| CN115203008A (en) | Test method, test device, storage medium and equipment | |
| CN113708978A (en) | Network availability test method and device, computer equipment and storage medium | |
| CN112433947A (en) | Chaos engineering method and system based on network data | |
| CN110659215A (en) | Open type industrial APP rapid development and test verification method | |
| JP2011154568A (en) | Information processing apparatus, program verification method and program | |
| CN113495545A (en) | System and method for testing vehicle equipment controller using in-loop hardware | |
| CN115426301B (en) | Device detection method, device, equipment and storage medium based on self-generated message |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |